Thinking Outside the Sandbox - Violating Trust Boundaries in Uncommon Ways

Explore uncommon techniques for bypassing application sandboxes in this Black Hat conference talk. Delve into four successful sandbox bypass methods used in Pwn2Own contest entries, analyzing attack vectors, root causes, and potential fixes. Learn about restricted access tokens, job object limitations, window station isolation, and mandatory integrity control. Examine attack surface archetypes, including IPC handling and shared resources. Discover unique approaches like abusing save file dialogs, clipboard manipulation, elevation policy exploitation, and symbolic link attacks. Gain insights into the evolving landscape of exploit development and understand how these techniques violate trust boundaries in modern browsers and plugins.

Introduction
whois Jasiel Spelman
Don't let mitigations get in your way!
Restricted Access Tokens
Job Object Limitations
Window Station and Desktop Isolation
Mandatory Integrity Control
Sandboxed Process Communication
Attack Surface Archetypes
Inter-Process Communication Handling
Shared Resources
Additional Vectors
Uncommon Attack Vectors
Internet Explorer Save As Dialog Sandbox Escape
Save File Dialog Abuse
Google Chrome Clipboard Sandbox Bypass
Clipboard Abuse
Internet Explorer Presentation test Sandbox Bypass
Elevation Policy Abuse
Google Chrome Symbolic Link Sandbox Escape
Symbolic Link Abuse
Conclusion
Drives Next Evolution in Exploits